[Pdns-announce] PowerDNS Recursor Security Release 3.6.1
bert.hubert at netherlabs.nl
Wed Sep 10 08:02:23 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
We regret that we have to announce a PowerDNS Recursor security release:
Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0
All deployments of PowerDNS Recursor 3.6.0
PowerDNS Authoritative Server, PowerDNS Recursor versions other
1) Only users from netmasks specified in 'allow-from' can cause
2) add automated restarting
Upgrade 3.6.1 using the packages we provided, or apply our minimal patch
Distributions shipping 3.6.0 have been notified last week and will be
providing updates very soon
Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT
earlier) can crash when exposed to a specific sequence of malformed packets.
This sequence happened spontaneously with one of our largest deployments,
and the packets did not appear to have a malicious origin.
Yet, this crash can be triggered remotely, leading to a denial of
service attack. There appears to be no way to use this crash for system
compromise or stack overflow.
Fixed packages and sources are available from: https://www.powerdns.com/downloads.html
In addition, if you want to apply a minimal fix, it can be found on:
Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified
and will be providing updated packages soon.
As for workarounds, only clients in allow-from are able to trigger the
crash, so this should be limited to your userbase.
can be used to enable Upstart and Systemd to restart the PowerDNS Recursor
in case of a crash.
In addition to various fixes related to this potential crash, 3.6.1 fixes a
few minor issues and adds a debugging feature:
* We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some
cases (:ffff.18.104.22.168). Fixed in commit c90fcbd , closing ticket 1663.
* Improve systemd startup timing with respect to network availability (commit
cf86c6a), thanks to Morten Stevens.
* Realtime telemetry can now be enabled at runtime, for example with
'rec_control carbon-server 22.214.171.124 ourname1234'. This ties in to our
existing carbon-server and carbon-ourname settings, but now at runtime. This
specific invocation will make your stats appear automatically on our public
We want to thank the dedicated PowerDNS users that spent months
investigating the rare crashes they observed. Without such an engaged
community, we would never be able to chase down issues like these.
If you have any questions regarding this update, or need help upgrading,
pleae contact us here or through https://www.powerdns.com/contact.html
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pdns-announce